View Full Version : Spybot won't run
Before I get started I just want to say that I am immensely grateful that there is a community like this, so thank you to all.
On to the problem, Spybot isn't running. Nod32 is but can't detect anything. Ad aware is running but doesn't find anything.
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:54 AM, on 1/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7ab906e7-c404-4328-9531-0d36ae8196d1} - C:\WINDOWS\system32\mohoyodi.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [twunk_32x.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\twunk_32x.exe
O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: wbsysdll,C:\WINDOWS\system32\jovijora.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
--
End of file - 8143 bytes
Hello and :welcome: to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply
Thanks peku006
Combofix won't run. I saved it to desktop and followed the instructions from the link but when I click run the hourglass comes up for a few seconds then nothing happens same as when I try to run spybot. I open task manager and combofix.exe appears in processes but thats all. help?
Hi Appro
do not worry we have other "tools"
1 - Download and Run Malwarebytes' Anti-Malware
Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
2 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
3 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC
Thanks peku006
mbam-setup won't run. It just appears in processes but thats all.:confused:
Hi Appro
Right click the mbam-setup.exe file> click rename> rename it Appro.exe then try to run it
Thanks peku006
I managed to get mbam to run and I performed a full system scan. It detected 44 suspicious files but when i clicked 'remove all' the program begins to delete the files but then freezes and stops working, it stops at a registry entry (CURRENT_USER...),I waited an hour and it didn't move. I end the program and reopen mbam and the files are in the quarantine section but there are no log files...?
Hi Appro
Please continue with RSIT
Thanks peku006
RSIT log:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Chris at 2010-01-20 23:54:22
Microsoft Windows XP Professional Service Pack 2
System drive C: has 300 GB (63%) free of 477 GB
Total RAM: 3327 MB (75% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:25 PM, on 1/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21148)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Chris.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7ab906e7-c404-4328-9531-0d36ae8196d1} - C:\WINDOWS\system32\mohoyodi.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [twunk_32x.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\twunk_32x.exe
O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: wbsysdll,C:\WINDOWS\system32\jovijora.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
--
End of file - 8870 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\WGASetup.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
FGCatchUrl - C:\Program Files\FlashGet\jccatch.dll [2007-08-06 94308]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ab906e7-c404-4328-9531-0d36ae8196d1}]
C:\WINDOWS\system32\mohoyodi.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-21 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-21 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
FlashGet GetFlash Class - C:\Program Files\FlashGet\getflash.dll [2007-05-19 163840]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-06-26 13529088]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-06-26 86016]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-02-20 1443072]
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2007-12-11 307200]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2010-01-12 520024]
"TMRUBottedTray"=C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe [2008-11-06 288088]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"RocketDock"=C:\Program Files\RocketDock\RocketDock.exe [2007-09-02 495616]
"twunk_32x.exe"=C:\DOCUME~1\Chris\LOCALS~1\Temp\twunk_32x.exe []
"Malware Defense"=C:\Program Files\Malware Defense\mdefense.exe -noscan []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe [2007-09-25 2007088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 141600]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phase28Panel]
C:\Program Files\TerraTec\PHASE 22 & 28 ControlPanel\Protecmixer.exe [2007-03-21 266240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
WDDMStatus.lnk - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
WDSmartWare.lnk - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="wbsysdll,C:\WINDOWS\system32\jovijora.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll [2008-09-17 210168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-04-16 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\jovijora.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\FlashGet\flashget.exe"="C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Disabled:mIRC"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53115428-00e3-11df-8901-8b0d99b4b2e5}]
shell\AutoRun\command - "H:\WD SmartWare.exe" autoplay=true
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69519275-db19-11de-889e-001e2aac20c2}]
shell\AutoRun\command - F:\9b9w3.exe
shell\open\command - F:\9b9w3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd364922-9f90-11de-87fa-001e2aac20c2}]
shell\AutoRun\command - setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a0adc5-516e-11de-8768-001e2aac20c2}]
shell\AutoRun\command - F:\WDSetup.exe
======File associations======
.reg - open - "regedit.exe" "%1"
======List of files/folders created in the last 1 months======
2010-01-20 23:54:22 ----D---- C:\rsit
2010-01-19 23:25:52 ----D---- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2010-01-19 12:27:03 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-18 22:18:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-14 18:28:32 ----D---- C:\Documents and Settings\All Users\Application Data\WD_SmartWareCommon
2010-01-14 18:10:52 ----D---- C:\Documents and Settings\Chris\Application Data\Western Digital
2010-01-14 18:10:49 ----D---- C:\Documents and Settings\All Users\Application Data\Western Digital
2010-01-14 18:10:29 ----D---- C:\Program Files\Western Digital
2010-01-13 11:36:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-01-13 11:36:48 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-01-13 11:36:44 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-01-13 11:36:40 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2010-01-13 11:36:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-01-13 11:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-01-13 11:36:30 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-01-13 11:36:10 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-01-13 11:36:01 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-01-13 11:36:00 ----D---- C:\WINDOWS\system32\KB905474
2010-01-13 11:35:16 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-01-13 11:35:12 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-01-13 11:34:42 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2010-01-13 11:34:38 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-01-13 11:34:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-01-13 11:34:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2010-01-13 11:34:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-01-13 11:34:00 ----D---- C:\WINDOWS\ServicePackFiles
2010-01-13 11:33:58 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-01-13 11:33:54 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-01-13 11:33:47 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-01-13 11:33:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-01-13 11:33:21 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-01-13 11:33:09 ----D---- C:\Program Files\MSXML 6.0
2010-01-13 11:33:04 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-01-13 11:33:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2010-01-13 11:32:57 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2010-01-13 11:32:55 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-01-13 11:32:51 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-01-13 11:32:49 ----A---- C:\WINDOWS\system32\wmpns.dll
2010-01-13 11:32:46 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2010-01-13 11:32:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2010-01-13 11:32:40 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-01-13 11:32:36 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-01-13 11:32:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-01-13 11:31:58 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2010-01-13 11:31:46 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-01-13 11:31:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-01-13 11:31:40 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2010-01-13 11:31:37 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-01-13 11:31:34 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-01-13 11:31:30 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-01-13 11:31:26 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-01-13 11:31:10 ----D---- C:\WINDOWS\ie7updates
2010-01-13 11:31:04 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-01-13 11:31:00 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2010-01-13 11:30:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-01-13 11:30:40 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-01-13 11:27:06 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-01-13 11:27:01 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-01-13 11:26:29 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2010-01-13 11:26:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-01-13 11:26:14 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-01-13 11:26:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2010-01-13 11:26:03 ----HDC---- C:\WINDOWS\$NtUninstallKB971032$
2010-01-13 11:25:58 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-01-13 11:25:55 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-01-13 11:25:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-01-13 11:25:49 ----D---- C:\Program Files\MSXML 4.0
2010-01-13 11:25:43 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2010-01-13 11:25:26 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-01-13 11:24:59 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-01-13 11:24:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-01-13 11:24:50 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-01-13 11:24:43 ----N---- C:\WINDOWS\system32\spmsg.dll
2010-01-13 11:24:41 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-01-13 11:24:41 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-13 00:29:57 ----D---- C:\Documents and Settings\Chris\Application Data\AVG8
2010-01-13 00:25:33 ----D---- C:\WINDOWS\system32\CatRoot_bak
2010-01-12 23:29:34 ----D---- C:\Program Files\Trend Micro
2010-01-12 23:27:52 ----N---- C:\WINDOWS\system32\tzchange.exe
2010-01-12 22:53:56 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2010-01-12 22:53:56 ----A---- C:\WINDOWS\system32\mucltui.dll
2010-01-12 22:53:51 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2010-01-12 22:53:51 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2010-01-12 22:53:51 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2010-01-12 22:53:51 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2010-01-12 21:56:17 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-01-12 21:25:03 ----HDC---- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-01-12 21:24:58 ----D---- C:\Program Files\Lavasoft
2010-01-12 21:24:58 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-01-12 20:05:34 ----D---- C:\Program Files\Malware Defense
2010-01-12 19:54:15 ----A---- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
2010-01-08 16:57:40 ----D---- C:\Program Files\Microsoft Silverlight
2009-12-24 00:08:49 ----D---- C:\Program Files\Rockstar Games
======List of files/folders modified in the last 1 months======
2010-01-20 23:46:51 ----D---- C:\Program Files\Mozilla Firefox
2010-01-20 23:45:39 ----D---- C:\WINDOWS\Temp
2010-01-20 23:45:39 ----D---- C:\WINDOWS\system32
2010-01-20 14:09:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-20 02:17:22 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-19 12:27:14 ----D---- C:\WINDOWS\system32\drivers
2010-01-18 22:18:24 ----D---- C:\Program Files
2010-01-16 19:36:41 ----D---- C:\WINDOWS\Registration
2010-01-16 12:53:59 ----D---- C:\WINDOWS\Prefetch
2010-01-16 00:13:12 ----SH---- C:\boot.ini
2010-01-16 00:13:12 ----A---- C:\WINDOWS\win.ini
2010-01-16 00:13:12 ----A---- C:\WINDOWS\system.ini
2010-01-14 22:40:32 ----D---- C:\Downloads
2010-01-14 21:01:42 ----D---- C:\Program Files\FlashGet
2010-01-14 19:02:15 ----D---- C:\WINDOWS
2010-01-14 18:44:21 ----HD---- C:\WINDOWS\inf
2010-01-14 18:10:48 ----SHD---- C:\WINDOWS\Installer
2010-01-14 18:10:37 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-01-14 00:27:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-13 12:18:05 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-13 12:18:05 ----D---- C:\WINDOWS\system32\wbem
2010-01-13 12:18:05 ----D---- C:\WINDOWS\system32\Setup
2010-01-13 12:18:05 ----D---- C:\WINDOWS\AppPatch
2010-01-13 12:18:05 ----D---- C:\Program Files\Internet Explorer
2010-01-13 11:36:50 ----A---- C:\WINDOWS\imsins.BAK
2010-01-13 11:36:42 ----D---- C:\Program Files\Messenger
2010-01-13 11:36:30 ----D---- C:\WINDOWS\WinSxS
2010-01-13 11:36:23 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-01-13 11:36:00 ----SD---- C:\WINDOWS\Tasks
2010-01-13 11:34:00 ----D---- C:\WINDOWS\system32\en-us
2010-01-13 11:31:32 ----D---- C:\Program Files\Outlook Express
2010-01-13 11:28:55 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-01-13 01:06:17 ----D---- C:\WINDOWS\security
2010-01-13 00:54:21 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-13 00:25:32 ----D---- C:\WINDOWS\Debug
2010-01-12 23:29:35 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-12 22:53:57 ----D---- C:\WINDOWS\Help
2010-01-12 22:53:56 ----D---- C:\WINDOWS\SoftwareDistribution
2010-01-12 17:59:50 ----D---- C:\Documents and Settings\Chris\Application Data\FabFilter
2010-01-12 17:52:33 ----D---- C:\Program Files\Common Files\VST3
2010-01-12 17:52:30 ----D---- C:\Program Files\FabFilter
2010-01-12 01:24:54 ----D---- C:\Documents and Settings\Chris\Application Data\LimeWire
2010-01-05 00:48:40 ----A---- C:\WINDOWS\system32\msvcsv60.dll
2009-12-29 01:35:47 ----D---- C:\Documents and Settings\Chris\Application Data\uTorrent
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-02-20 29704]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2007-04-16 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-03-15 56268]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-02-17 17801]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-02-20 39944]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2007-04-16 62336]
R3 AR5211;NETGEAR WPN311 V1H3 Wireless Adapter Service; C:\WINDOWS\system32\DRIVERS\WPN311.sys [2006-07-05 472000]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2007-04-16 60800]
R3 CLEDX;Team H2O CLEDX service; C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2007-04-16 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2007-04-16 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-06-26 6555168]
R3 Protec;PHASE WDM Audio; C:\WINDOWS\system32\drivers\Protec.sys [2007-04-13 69664]
R3 TMPassthruMP;TMPassthruMP; C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2007-04-16 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2007-04-16 59264]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2007-04-16 20608]
R3 WDC_SAM;WD SCSI Pass Thru driver; C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S2 Nsynas32;Nsynas32; C:\WINDOWS\system32\drivers\Nsynas32.sys []
S3 lm1394;Liquid Mix Service; C:\WINDOWS\system32\DRIVERS\lm1394.sys [2008-02-18 30208]
S3 RDID1027;EDIROL PCR; C:\WINDOWS\System32\Drivers\rdwm1027.sys [2003-10-31 60698]
S3 TMPassthru;Trend Micro Passthru Ndis Service; C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP; C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys [2009-09-12 24192]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-04-16 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-04-16 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-21 152984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-01-12 1028432]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-24 935208]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-06-26 159812]
R2 RUBotted;Trend Micro RUBotted Service; C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe [2008-11-06 582992]
R2 WDDMService;WD SmartWare Drive Manager; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-10-14 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service; C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S2 NOD32FiXTemDono;Eset Nod32 Boot; C:\WINDOWS\system32\regedt32.exe [2001-08-23 3584]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-02-20 19200]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-04-07 655624]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-10-28 545568]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 ACS;Atheros Configuration Service; C:\WINDOWS\system32\acs.exe [2006-12-04 36864]
-----------------EOF-----------------
RSIT info:
info.txt logfile of random's system information tool 1.06 2010-01-20 23:54:27
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
112dB Redline Reverb VST v1.0.0.987-->"C:\Program Files\112dB\Redline Reverb\unins000.exe"
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
ACID Pro 7.0-->MsiExec.exe /X{FBCED1D8-E731-42B7-AD49-A291175BAA1B}
Acrobat.com-->msiexec /qb /x {77DCDCE3-2DED-62F3-8154-05E745472D07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adam Van Baker FM7 Soundset-->C:\PROGRA~1\NATIVE~1\FM7\Presets\UNWISE.EXE C:\PROGRA~1\NATIVE~1\FM7\Presets\INSTALL.LOG
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Extra Settings CS4-->MsiExec.exe /I{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Recommended Settings CS4-->MsiExec.exe /I{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3-->C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Media Player-->msiexec /qb /x {39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Media Player-->MsiExec.exe /I{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\Setup.exe --uninstall=1
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Photoshop CS4-->MsiExec.exe /I{E4848436-0345-47E2-B648-8B522FCDA623}
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
Amazon MP3 Downloader 1.0.5-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
AmpliTube Jimi Hendrix-->C:\Program Files\InstallShield Installation Information\{66BA35B0-1911-47EF-B170-1DCFFDA362F1}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
AmpliTube2-->C:\Program Files\InstallShield Installation Information\{C95AACD4-9507-4F5C-9D53-22B1ACCFECD1}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
Antares Autotune VST v5.09-->"C:\Program Files\Antares Audio Technologies\Uninstall\unins000.exe"
Apple Application Support-->MsiExec.exe /I{B607C354-CD79-4D22-86D1-92DC94153F42}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArtsAcoustic Reverb 1.2.0-->C:\Program Files\ArtsAcoustic Reverb\uninst.exe
Arturia Arp2600 V v1.0-->C:\PROGRA~1\Arturia\ARP260~1\UNWISE.EXE C:\PROGRA~1\Arturia\ARP260~1\INSTALL.LOG
Arturia Minimoog V v1.0-->C:\PROGRA~1\Arturia\MINIMO~1\UNWISE.EXE C:\PROGRA~1\Arturia\MINIMO~1\INSTALL.LOG
Arturia Moog Modular V2 v1.0-->C:\PROGRA~1\Arturia\MOOGMO~1\UNWISE.EXE C:\PROGRA~1\Arturia\MOOGMO~1\INSTALL.LOG
ASIO4ALL-->C:\Program Files\ASIO4ALL v2\uninstall.exe
Avanquest update-->"C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -runfromtemp -l0x0009 -removeonly
Bass Station 1.51-->"C:\Program Files\Uninstall Information\{ABAF1232-6213-4062-9D52-04E04A730CEA}\unins000.exe"
BBE D82 Sonic Maximizer VST RTAS v2.0-->"C:\Program Files\Nomad Factory\Uninstall\unins000.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
BrainWave Generator-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BrainWave Generator\Uninst.isu"
Brainworx BX Digital VST v1.09-->"C:\Program Files\Brainworx Music\Uninstall\unins000.exe"
Camel Audio Alchemy-->C:\Program Files\Steinberg\VstPlugins\Alchemy\Alchemy\AlchemyUninstall.exe
Canon S200SP-->C:\WINDOWS\system32\CNMCP3Y.EXE -@C:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon S200SP Installer\Inst\DeIsL1.isu" -pCanon S200SP-c"C:\BJPrinter\CNMWINDOWS\Canon S200SP Installer\Inst\bjinst.dll
Collab-->C:\Program Files\Image-Line\Collab\uninstall.exe
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
Cycling '74 MaxMSP v4.5.4-->C:\PROGRA~1\CYCLIN~1\MAXMSP~1.5\UNWISE.EXE C:\PROGRA~1\CYCLIN~1\MAXMSP~1.5\INSTALL.LOG
db audioware Sidechain Compressor VST v1.1.0-->C:\PROGRA~1\STEINB~1\VSTPLU~1\DBAUDI~1\SIDECH~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\DBAUDI~1\SIDECH~1\INSTALL.LOG
db audioware Sidechain Gate VST v1.1.0-->C:\PROGRA~1\STEINB~1\VSTPLU~1\DBAUDI~1\SIDECH~2\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\DBAUDI~1\SIDECH~2\INSTALL.LOG
ESET NOD32 Antivirus-->MsiExec.exe /I{7D974ACA-4EE5-412C-8E6A-A5B57B305727}
FabFilter Pro-C VST RTAS v1.10-->"C:\Program Files\FabFilter\unins000.exe"
FabFilter Pro-Q VST RTAS v1.0.2-->"C:\Program Files\FabFilter\Pro-Q\Uninstall\unins000.exe"
FabFilter Timeless VST RTAS v2.00-->"C:\Program Files\FabFilter\Timeless 2\Uninstall\unins000.exe"
FabFilter Twin VSTi RTAS v2.01-->"C:\Program Files\FabFilter\Twin 2\Uninstall\unins000.exe"
FL Studio 8-->C:\Program Files\Image-Line\FL Studio 8\uninstall.exe
FlashGet 1.9.6.1073-->C:\Program Files\FlashGet\uninst.exe
Focusrite Liquid Mix-->"C:\Program Files\Focusrite Liquid Mix\unins000.exe"
Freequency 2.0-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Freequency 2.0\DeIsL1.isu" -c"C:\Program Files\Freequency 2.0\_ISREG32.DLL"
Genwaveaudio Genwave EQ VST v1.0-->"C:\Program Files\Genwave\Uninstall\unins000.exe"
GForce - Minimonsta-->C:\WINDOWS\unvise32.exe C:\Program Files\GForce\Minimonsta\uninstal.log
GMediaMusic - Oddity VST2-->C:\WINDOWS\unvise32.exe C:\Program Files\Steinberg\VstPlugins\GMediaMusic\Oddity VST2\uninstal.log
G-Sonique Dubmaster Liquid Delay VST 1.0-->"C:\Program Files\G-Sonique\Uninstall\unins000.exe"
G-sonique Pultronic EQ-110P VST 1.0-->"C:\Program Files\G-Sonique\Uninstall\unins001.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
IL Download Manager-->C:\Program Files\Image-Line\Downloader\uninstall.exe
iTunes-->MsiExec.exe /I{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}
Java(TM) 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Jupiter-8V Demo 1.1-->"C:\Program Files\Arturia\Jupiter-8V\unins000.exe"
Kjaerhus Audio Golden Audio Gate GAG-1 v1.02 VST-->C:\PROGRA~1\KJAERH~1\GAG-1\UNWISE.EXE C:\PROGRA~1\KJAERH~1\GAG-1\INSTALL.LOG
Korg Legacy Collection v1.0.0.2-->C:\PROGRA~1\KORG\KORGLE~1\UNWISE.EXE C:\PROGRA~1\KORG\KORGLE~1\INSTALL.LOG
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
LimeWire 4.18.7-->"C:\Program Files\LimeWire\uninstall.exe"
LiquidInstrument Standalone 1.0-->MsiExec.exe /I{2D314071-26CD-47EA-A01E-82FADDE951C5}
LiquidInstrumentDXi2 1.0-->MsiExec.exe /I{36F0FA39-2875-4EFD-977C-C405A5E4A403}
LiquidInstrumentVst 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A2453C21-B185-437A-933D-EAFC19D0E2D2}\setup.exe" -l0x9 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Max Payne 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}\Setup.exe" -l0x9
Melodyne plugin-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C49987B-689E-469D-86AE-8E325A038701}\setup.exe" -l0x9 -removeonly
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Motorola Phone Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (3.0.17)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB973686)-->MsiExec.exe /I{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}
N.I Pro-53 v3.0-OxYGeN-->C:\PROGRA~1\Pro-53\UNWISE.EXE C:\PROGRA~1\Pro-53\INSTALL.LOG
Native Instruments FM7 v1.10.006-->C:\PROGRA~1\NATIVE~1\FM7\UNWISE.EXE C:\PROGRA~1\NATIVE~1\FM7\INSTALL.LOG
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS-->C:\PROGRA~1\NATIVE~1\Massive\UNWISE.EXE C:\PROGRA~1\NATIVE~1\Massive\INSTALL.LOG
Nero 9-->C:\Program Files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe REMOVESERIALNUMBER="9M03-01A1-PCX7-K31A-8A94-98PT-KT2E-522A"
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR WPN311 Wireless Adapter-->C:\Program Files\InstallShield Installation Information\{AB938897-211A-4999-9749-236D2E8E464A}\setup.exe -runfromtemp -l0x0409
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up -->"C:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe"
Novation V-Station v1.20-H2O-->C:\PROGRA~1\STEINB~1\VSTPLU~1\V-STAT~1\V-STAT~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\V-STAT~1\V-STAT~1\INSTALL.LOG
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Ohm Force - Mobilohm VST2-->C:\WINDOWS\unvise32.exe C:\Program Files\Steinberg\VstPlugins\Ohm Force\Mobilohm VST2\uninstal.log
Ohm Force - Ohmicide VST-->C:\WINDOWS\unvise32.exe C:\Program Files\Steinberg\VstPlugins\Ohm Force\Ohmicide VST\uninstal.log
Ohm Force - Quad Frohmage VST2-->C:\WINDOWS\unvise32.exe C:\Program Files\Steinberg\VstPlugins\Ohm Force\Quad Frohmage VST2\uninstal.log
OhmForce Hematohm VST2-->C:\WINDOWS\unvise32.exe C:\Program Files\Steinberg\VstPlugins\Ohm Force\Hematohm VST2\uninstal.log
OhmForce Ohmboyz VST2-->C:\WINDOWS\unvise32.exe C:\Program Files\Steinberg\VstPlugins\Ohm Force\Ohmboyz VST2\uninstal.log
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
PHASE 22 & 28 ControlPanel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FEF82C79-A738-4EE2-9600-39895B21506F}\setup.exe" -l0x9
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
PoiZone-->C:\Program Files\Image-Line\PoiZone\uninstall.exe
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PSP 84 1.5.2-->"C:\Program Files\PSPaudioware\PSP 84\uninstall.exe" "/U:C:\Program Files\PSPaudioware\PSP 84\irunin.xml"
PSP Nitro 1.1.2-->"C:\Program Files\PSPaudioware\PSP Nitro\uninstall.exe" "/U:C:\Program Files\PSPaudioware\PSP Nitro\irunin.xml"
PSP oldTimer 1.1.6 32bit-->"C:\Program Files\PSPaudioware\PSP oldTimer\uninstall.exe" "/U:C:\Program Files\PSPaudioware\PSP oldTimer\irunin.xml"
PSP VintageWarmer2 2.1.4-->"C:\Program Files\PSPaudioware\PSP VintageWarmer2\uninstall.exe" "/U:C:\Program Files\PSPaudioware\PSP VintageWarmer2\irunin.xml"
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
reFX Nexus 1.0.0-->"C:\Program Files\Steinberg\VstPlugins\Nexus\Uninstall\unins000.exe"
reFX Nexus 1.0.9-->"C:\Program Files\Steinberg\VstPlugins\unins001.exe"
Rob Papen Albino 3-->C:\Program Files\Steinberg\VstPlugins\UninstalAlbino3.exe
Rob Papen Predator V1.1.0-->"C:\Program Files\steinberg\vstplugins\unins002.exe"
RocketDock 1.3.5-->"C:\Program Files\RocketDock\unins000.exe"
RSO ExTreme Punch 3 VST-->C:\PROGRA~1\STEINB~1\VSTPLU~1\RSOEXT~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\RSOEXT~1\INSTALL.LOG
SampleTank 2-->C:\Program Files\InstallShield Installation Information\{6559654F-2F38-491F-8411-211517C3E635}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB960003)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F04F8702-18D0-458D-921E-146FB7CD38CF}
Security Update for Microsoft Office Excel 2007 (KB959997)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {9EAC3AEC-5C81-4856-A05B-DE9DC236D740}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Sonalksis Plug-Ins for Windows 2.02-->"C:\WINDOWS\unins000.exe"
Sonnox Oxford Inflator Native VST v1.5.1-->"C:\Program Files\Sonnox\Uninstall\Sonnox Oxford Inflator Native VST\unins000.exe"
Sonnox Oxford Limiter Native VST v1.1.1-->"C:\Program Files\Sonnox\Uninstall\Sonnox Oxford Limiter Native VST\unins000.exe"
Sonnox Oxford R3 Dynamics Native VST v1.3.1-->"C:\Program Files\Sonnox\Uninstall\Sonnox Oxford R3 Dynamics Native VST\unins000.exe"
Sonnox Oxford R3 EQ Native VST v1.6.1-->"C:\Program Files\Sonnox\Uninstall\Sonnox Oxford R3 EQ Native VST\unins000.exe"
Sonnox Oxford Reverb Native VST v1.0-->"C:\Program Files\Sonnox\Uninstall\Sonnox Oxford Reverb Native VST\unins000.exe"
Sonnox Oxford TransMod Native VST v1.3.1-->"C:\Program Files\Sonnox\Uninstall\Sonnox Oxford TransMod Native VST\unins000.exe"
Sony Noise Reduction Plug-In 2.0e-->MsiExec.exe /X{D533C9D4-ED96-4191-B9C3-279C0DD6BABA}
Sony Sound Forge 9.0-->MsiExec.exe /X{6842DCCB-2840-4E46-8AF3-BEA9CFF3455B}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SSL LMC-1 v1.0-->C:\Program Files\Steinberg\VstPlugins\Solid State Logic\Remove LMC-1.exe
SSL X-ISM v1.1-->C:\Program Files\Steinberg\VstPlugins\Solid State Logic\Remove X-ISM.exe
Steinberg Nuendo v3.2.0.1128-->C:\PROGRA~1\STEINB~1\NUENDO~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\NUENDO~1\INSTALL.LOG
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
Sylenth1 v2.0-->"C:\Program Files\Steinberg\VstPlugins\unins000.exe"
SyncroSoft Emu (Remove only)-->C:\Program Files\SyncroSoft\Pos\H2O\Uninst.exe
Syncrosoft's License Control-->C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
Synth1-->"C:\Program Files\Synth1\setup.exe" /u
Toxic Biohazard-->C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exe
Trend Micro RUBotted-->C:\Program Files\InstallShield Installation Information\{12650598-D7B9-4FB5-91B2-2CAA641AC589}\setup.exe -runfromtemp -l0x0009 -removeonly
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Outlook 2007 Junk Email Filter (kb976884)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FB60F280-C70F-4174-BADB-471412AA42F0}
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VAZ Modular-->"C:\Program Files\VAZ Modular\Remove.exe" /U:"C:\Program Files\VAZ Modular\Remove.log"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Voxengo Analogflux Suite 1.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Analogflux Suite\uninstall.exe"
Voxengo BMS VST 1.1-->"C:\Program Files\Steinberg\VstPlugins\Voxengo BMS VST\uninstall.exe"
Voxengo Crunchessor VST 1.7-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Crunchessor VST\uninstall.exe"
Voxengo CurveEQ VST 2.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo CurveEQ VST\uninstall.exe"
Voxengo Deconvolver 1.9-->"C:\Program Files\Voxengo\Voxengo Deconvolver\uninstall.exe"
Voxengo Elephant VST 2.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Elephant VST\uninstall.exe"
Voxengo GlissEQ VST 2.7-->"C:\Program Files\Steinberg\VstPlugins\Voxengo GlissEQ VST\uninstall.exe"
Voxengo HarmoniEQ VST 1.4-->"C:\Program Files\Steinberg\VstPlugins\Voxengo HarmoniEQ VST\uninstall.exe"
Voxengo LF-Max VST 1.0-->"C:\Program Files\Steinberg\VstPlugins\Voxengo LF-Max VST\uninstall.exe"
Voxengo LF-Punch VST 1.3-->"C:\Program Files\Steinberg\VstPlugins\Voxengo LF-Punch VST\uninstall.exe"
Voxengo Marquis Compressor VST 1.4-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Marquis Compressor VST\uninstall.exe"
Voxengo PHA-979 VST 1.2-->"C:\Program Files\Steinberg\VstPlugins\Voxengo PHA-979 VST\uninstall.exe"
Voxengo Polysquasher VST 1.4-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Polysquasher VST\uninstall.exe"
Voxengo Pristine Space VST 1.6-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Pristine Space VST\uninstall.exe"
Voxengo Redunoise VST 1.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Redunoise VST\uninstall.exe"
Voxengo Soniformer VST 2.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Soniformer VST\uninstall.exe"
Voxengo Transmodder VST 1.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Transmodder VST\uninstall.exe"
Voxengo Vintage Modulator VST 1.3-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Vintage Modulator VST\uninstall.exe"
Voxengo Voxformer VST 1.7-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Voxformer VST\uninstall.exe"
Voxengo Warmifier VST 1.5-->"C:\Program Files\Steinberg\VstPlugins\Voxengo Warmifier VST\uninstall.exe"
WaveLab Lite-->"C:\Program Files\Steinberg\WaveLab Lite\Uninstall.exe" "C:\Program Files\Steinberg\WaveLab Lite\install.log"
Waves API Collection-->C:\PROGRA~1\Waves\Logs\WAVESA~1\UNWISE.EXE C:\PROGRA~1\Waves\Logs\WAVESA~1\INSTALL.LOG
Waves Diamond Bundle v5.0-->C:\PROGRA~1\Waves\UNINST~1\UNWISE.EXE C:\PROGRA~1\Waves\UNINST~1\INSTALL.LOG
Waves Diamond Bundle v5.2-->C:\PROGRA~1\Waves\DIAMON~1\UNWISE.EXE C:\PROGRA~1\Waves\DIAMON~1\INSTALL.LOG
Waves SSL Collection v1.2-->C:\PROGRA~1\Waves\AIRLOG~1\WAVESS~1.2\UNWISE.EXE C:\PROGRA~1\Waves\AIRLOG~1\WAVESS~1.2\INSTALL.LOG
WD SmartWare-->MsiExec.exe /X{CD0DC280-2489-4464-A2FC-16104676394A}
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
WindowBlinds-->C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
======Hosts File======
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
======Security center information======
AV: Malware Defense (outdated)
AV: ESET NOD32 Antivirus 3.0
======System event log======
Computer Name: CHRIS-PC
Event Code: 7000
Message: The Atheros Configuration Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Record Number: 21707
Source Name: Service Control Manager
Time Written: 20100113001240.000000+600
Event Type: error
User:
Computer Name: CHRIS-PC
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Atheros Configuration Service service to connect.
Record Number: 21706
Source Name: Service Control Manager
Time Written: 20100113001240.000000+600
Event Type: error
User:
Computer Name: CHRIS-PC
Event Code: 7000
Message: The Nsynas32 service failed to start due to the following error:
The system cannot find the file specified.
Record Number: 21705
Source Name: Service Control Manager
Time Written: 20100113001240.000000+600
Event Type: error
User:
Computer Name: CHRIS-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001E2AAC20C2. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 21677
Source Name: Dhcp
Time Written: 20100112233011.000000+600
Event Type: warning
User:
Computer Name: CHRIS-PC
Event Code: 16
Message: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Record Number: 21611
Source Name: Windows Update Agent
Time Written: 20100112225236.000000+600
Event Type: error
User:
=====Application event log=====
Computer Name: CHRIS-PC
Event Code: 1002
Message: Hanging application KeyGen.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 227
Source Name: Application Hang
Time Written: 20090301153458.000000+600
Event Type: error
User:
Computer Name: CHRIS-PC
Event Code: 1000
Message: Faulting application wlancfg5.exe, version 1.4.1.306, faulting module wlancfg5.exe, version 1.4.1.306, fault address 0x0007e990.
Record Number: 225
Source Name: Application Error
Time Written: 20090301122901.000000+600
Event Type: error
User:
Computer Name: CHRIS-PC
Event Code: 1517
Message: Windows saved user CHRIS-PC\Chris registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Record Number: 222
Source Name: Userenv
Time Written: 20090228161334.000000+600
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: CHRIS-PC
Event Code: 1000
Message: Faulting application wlancfg5.exe, version 1.4.1.306, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.
Record Number: 221
Source Name: Application Error
Time Written: 20090228102030.000000+600
Event Type: error
User:
Computer Name: CHRIS-PC
Event Code: 1000
Message: Faulting application wlancfg5.exe, version 1.4.1.306, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.
Record Number: 218
Source Name: Application Error
Time Written: 20090227160111.000000+600
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"KMP_DUPLICATE_LIB_OK"=TRUE
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF-----------------
Hi Appro
RootRepeal - Rootkit Detector
Download RootRepeal from the following location and save it to your desktop.
Link 1 (http://rootrepeal.googlepages.com/RootRepeal.zip)
Link 2 (http://ad13.geekstogo.com/RootRepeal.zip)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.zip)
Unzip it to your Desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT
Click the OK button
Check the box for your main system drive (Usually C:), and Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Thanks peku006
rootrepeal txt:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/22 15:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB753B000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADFA000 Size: 8192 File Visible: No Signed: -
Status: -
Name: H8SRTxeiqhtarsc.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTxeiqhtarsc.sys
Address: 0xB7806000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6A12000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTcsmutcwbta.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\H8SRTdmxaxmlsiq.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\H8SRTfqsnkrloba.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\H8SRTipkipflqdu.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\H8SRTmeyqoewbak.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\H8SRTobwulkdwfd.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\H8SRTqfalkmrmdi.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\h8srtshsyst.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\H8SRT9bd9.tmp
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\H8SRTa6c6.tmp
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\H8SRTaf80.tmp
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\H8SRTxeiqhtarsc.sys
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temp\H8SRT105.tmp
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\6H9V2ANF\down[2]
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\HTONOT13\manifest.db3-journal
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\HTONOT13\bullet[2]
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\KHR67XDN\info_48[2]
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\T3U39TG8\errorPageStrings[4]
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\T3U39TG8\tools[6]
Status: Locked to the Windows API!
Path: c:\documents and settings\chris\application data\western digital\wd smartware\instances\21dda246-f23b-4d97-a8b9-86b3d39ad476\21dda246-f23b-4d97-a8b9-86b3d39ad476-inq.db3
Status: Size mismatch (API: 17149952, Raw: 17165312)
Path: c:\documents and settings\chris\application data\western digital\wd smartware\instances\21dda246-f23b-4d97-a8b9-86b3d39ad476\21dda246-f23b-4d97-a8b9-86b3d39ad476-preinq.db3
Status: Size mismatch (API: 21722112, Raw: 21479424)
Path: c:\documents and settings\chris\application data\western digital\wd smartware\instances\21dda246-f23b-4d97-a8b9-86b3d39ad476\manifest.db3
Status: Size mismatch (API: 9054208, Raw: 9044992)
Path: C:\Documents and Settings\Chris\Application Data\Western Digital\WD SmartWare\instances\21DDA246-F23B-4D97-A8B9-86B3D39AD476\manifest.db3-journal
Status: Could not get file information (Error 0xc0000008)
Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: services.exe (PID: 776) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: lsass.exe (PID: 788) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: svchost.exe (PID: 960) Address: 0x008a0000 Size: 36864
Object: Hidden Module [Name: H8SRTmeyqoewbak.dll]
Process: svchost.exe (PID: 960) Address: 0x00940000 Size: 65536
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 1100) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 1144) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 1204) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 1244) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: AAWService.exe (PID: 1348) Address: 0x00a10000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: spoolsv.exe (PID: 1456) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 1524) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: AppleMobileDeviceService.exe (PID: 1560) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: mDNSResponder.exe (PID: 1592) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: ekrn.exe (PID: 1632) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: jqs.exe (PID: 1736) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: Explorer.EXE (PID: 1896) Address: 0x00c50000 Size: 36864
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: Explorer.EXE (PID: 1896) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: NBService.exe (PID: 1960) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: nvsvc32.exe (PID: 248) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: ctfmon.exe (PID: 264) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: TMRUBotted.exe (PID: 316) Address: 0x00980000 Size: 36864
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: svchost.exe (PID: 452) Address: 0x10000000 Size: 86016
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: WDDMService.exe (PID: 668) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: WDSmartWareBackgroundService.exe (PID: 976) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: RUNDLL32.EXE (PID: 1808) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: egui.exe (PID: 1824) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: cledx.exe (PID: 1864) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: GrooveMonitor.exe (PID: 2096) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: AAWTray.exe (PID: 2148) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: TMRUBottedTray.exe (PID: 2164) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: RocketDock.exe (PID: 2188) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: wlancfg5.exe (PID: 2236) Address: 0x00c20000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: WDDMStatus.exe (PID: 2284) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: WDSmartWare.exe (PID: 2296) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: unsecapp.exe (PID: 2832) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: wmiprvse.exe (PID: 2920) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: alg.exe (PID: 3332) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: RootRepeal.exe (PID: 3264) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTipkipflqdu.dll]
Process: dwwin.exe (PID: 2628) Address: 0x10000000 Size: 36864
Object: Hidden Module [Name: H8SRTcsmutcwbta.dll]
Process: iexplore.exe (PID: 4068) Address: 0x00df0000 Size: 151552
Object: Hidden Module [Name: H8SRTfqsnkrloba.dll]
Process: iexplore.exe (PID: 4068) Address: 0x10000000 Size: 86016
Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTxeiqhtarsc.sys
==EOF==
Hi Appro
Lets run TDSS Killer by Kaspersky.
-Download TDSS Killer (http://support.kaspersky.com/viruses/solutions?qid=208280684) and save to your Desktop. Also print out those instructions on the same page for running the scan.
-Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
-Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
-Click OK.
-If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
-After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
-A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
Thanks peku006
TDSS log:
10:55:01:921 1220 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
10:55:01:921 1220 ================================================================================
10:55:01:921 1220 SystemInfo:
10:55:01:921 1220 OS Version: 5.1.2600 ServicePack: 2.0
10:55:01:921 1220 Product type: Workstation
10:55:01:921 1220 ComputerName: CHRIS-PC
10:55:01:921 1220 UserName: Chris
10:55:01:921 1220 Windows directory: C:\WINDOWS
10:55:01:921 1220 Processor architecture: Intel x86
10:55:01:921 1220 Number of processors: 4
10:55:01:921 1220 Page size: 0x1000
10:55:01:921 1220 Boot type: Normal boot
10:55:01:921 1220 ================================================================================
10:55:01:937 1220 UnloadDriverW: NtUnloadDriver error 2
10:55:01:937 1220 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:55:01:937 1220 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:55:01:953 1220 UtilityInit: KLMD drop and load success
10:55:01:953 1220 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
10:55:01:953 1220 UtilityInit: KLMD open success
10:55:01:953 1220 UtilityInit: Initialize success
10:55:01:953 1220
10:55:01:953 1220 Scanning Services ...
10:55:01:953 1220 CreateRegParser: Registry parser init started
10:55:01:953 1220 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
10:55:01:953 1220 CreateRegParser: DisableWow64Redirection error
10:55:01:953 1220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:55:01:953 1220 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
10:55:01:953 1220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:55:01:953 1220 wfopen_ex: Trying to KLMD file open
10:55:01:953 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
10:55:01:953 1220 wfopen_ex: File opened ok (Flags 2)
10:55:01:953 1220 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: D94918
10:55:01:953 1220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:55:01:953 1220 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
10:55:01:953 1220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:55:01:953 1220 wfopen_ex: Trying to KLMD file open
10:55:01:953 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
10:55:01:953 1220 wfopen_ex: File opened ok (Flags 2)
10:55:01:953 1220 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: D949C0
10:55:01:953 1220 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
10:55:01:953 1220 CreateRegParser: EnableWow64Redirection error
10:55:01:953 1220 CreateRegParser: RegParser init completed
10:55:02:343 1220 GetAdvancedServicesInfo: Raw services enum returned 327 services
10:55:02:343 1220 ScanTDL2Services: Exact detect H8SRTd.sys (h: 1)
10:55:02:343 1220 RegNode HKLM\SYSTEM\ControlSet001\services\H8SRTd.sys infected by TDSS rootkit ... 10:55:02:343 1220 will be deleted on reboot
10:55:02:343 1220 DeleteTDL2Service: SafeBoot Minimal doesn't infected
10:55:02:343 1220 DeleteTDL2Service: SafeBoot Network doesn't infected
10:55:02:343 1220 RegNode HKLM\SYSTEM\ControlSet002\services\H8SRTd.sys infected by TDSS rootkit ... 10:55:02:343 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: SafeBoot Minimal doesn't infected
10:55:02:359 1220 DeleteTDL2Service: SafeBoot Network doesn't infected
10:55:02:359 1220 File C:\WINDOWS\system32\drivers\H8SRTxeiqhtarsc.sys infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: H8SRTd. Type: 1
10:55:02:359 1220 DeleteTDL2Service: Module clone ImagePath, skipping
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: H8SRTc. Type: 1
10:55:02:359 1220 File C:\WINDOWS\system32\H8SRTmeyqoewbak.dll infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: H8SRTsrcr. Type: 1
10:55:02:359 1220 File C:\WINDOWS\system32\H8SRTdmxaxmlsiq.dat infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: h8srtserf. Type: 1
10:55:02:359 1220 File C:\WINDOWS\system32\H8SRTfqsnkrloba.dll infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: h8srtmsg. Type: 1
10:55:02:359 1220 File C:\WINDOWS\system32\H8SRTipkipflqdu.dll infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: h8srtbbr. Type: 1
10:55:02:359 1220 File C:\WINDOWS\system32\H8SRTcsmutcwbta.dll infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 DeleteTDL2Service: Module enum: Name: H8SRTerrors. Type: 1
10:55:02:359 1220 File C:\WINDOWS\system32\H8SRTqfalkmrmdi.log infected by TDSS rootkit ... 10:55:02:359 1220 will be deleted on reboot
10:55:02:359 1220 ScanTDL2Services: DeleteEvilService(H8SRTd.sys) success
10:55:02:359 1220 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:55:02:359 1220 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:55:02:359 1220
10:55:02:359 1220 Scanning Kernel memory ...
10:55:02:359 1220 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:55:02:359 1220 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A65DA08
10:55:02:359 1220 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects
10:55:02:359 1220
10:55:02:359 1220 DetectCureTDL3: DEVICE_OBJECT: 8A3D5030
10:55:02:359 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A3D5030
10:55:02:359 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A3D5030[0x38]
10:55:02:359 1220 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
10:55:02:359 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
10:55:02:359 1220 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
10:55:02:359 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:55:02:359 1220 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:55:02:359 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:55:02:359 1220 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
10:55:02:359 1220 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
10:55:02:359 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
10:55:02:359 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
10:55:02:359 1220 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
10:55:02:359 1220 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
10:55:02:359 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
10:55:02:359 1220 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
10:55:02:359 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:359 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:359 1220 TDL3_FileDetect: Processing driver: Disk
10:55:02:359 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:359 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:55:02:375 1220
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A318030
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A318030
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A347EA0
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A347EA0
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A347EA0[0x38]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT: 8A347DA0
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A347DA0[0xA8]
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xE1A05220[0x1E]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:55:02:375 1220 DetectCureTDL3: IrpHandler (0) addr: BAC6D218
10:55:02:375 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (2) addr: BAC6D218
10:55:02:375 1220 DetectCureTDL3: IrpHandler (3) addr: BAC6D23C
10:55:02:375 1220 DetectCureTDL3: IrpHandler (4) addr: BAC6D23C
10:55:02:375 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (9) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (14) addr: BAC6D180
10:55:02:375 1220 DetectCureTDL3: IrpHandler (15) addr: BAC689E6
10:55:02:375 1220 DetectCureTDL3: IrpHandler (16) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (22) addr: BAC6C5F0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (23) addr: BAC6AA6E
10:55:02:375 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xBAC69F26[0x400]
10:55:02:375 1220 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:55:02:375 1220 TDL3_FileDetect: Processing driver: usbstor
10:55:02:375 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:55:02:375 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:55:02:375 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
10:55:02:375 1220
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A61CC68
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A61CC68
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A61CC68[0x38]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:55:02:375 1220 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
10:55:02:375 1220 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
10:55:02:375 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
10:55:02:375 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
10:55:02:375 1220 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
10:55:02:375 1220 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
10:55:02:375 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
10:55:02:375 1220 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
10:55:02:375 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:375 1220 TDL3_FileDetect: Processing driver: Disk
10:55:02:375 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:55:02:375 1220
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A61C030
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A61C030
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A61C030[0x38]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:55:02:375 1220 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
10:55:02:375 1220 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
10:55:02:375 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
10:55:02:375 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
10:55:02:375 1220 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
10:55:02:375 1220 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
10:55:02:375 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
10:55:02:375 1220 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
10:55:02:375 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:375 1220 TDL3_FileDetect: Processing driver: Disk
10:55:02:375 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:55:02:375 1220
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A689C68
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A689C68
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A689C68[0x38]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:55:02:375 1220 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:55:02:375 1220 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
10:55:02:375 1220 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
10:55:02:375 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
10:55:02:375 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
10:55:02:375 1220 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
10:55:02:375 1220 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
10:55:02:375 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
10:55:02:375 1220 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
10:55:02:375 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:375 1220 TDL3_FileDetect: Processing driver: Disk
10:55:02:375 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:55:02:375 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:55:02:375 1220
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A68AAB8
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A68AAB8
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A6DE030
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6DE030
10:55:02:375 1220 DetectCureTDL3: DEVICE_OBJECT: 8A68B940
10:55:02:375 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A68B940
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A68B940[0x38]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT: 8A6A4900
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A6A4900[0xA8]
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xE101EFE0[0x1A]
10:55:02:375 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:55:02:375 1220 DetectCureTDL3: IrpHandler (0) addr: BA715572
10:55:02:375 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (2) addr: BA715572
10:55:02:375 1220 DetectCureTDL3: IrpHandler (3) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (4) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (9) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (14) addr: BA715592
10:55:02:375 1220 DetectCureTDL3: IrpHandler (15) addr: BA7117B4
10:55:02:375 1220 DetectCureTDL3: IrpHandler (16) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (22) addr: BA7155BC
10:55:02:375 1220 DetectCureTDL3: IrpHandler (23) addr: BA71C164
10:55:02:375 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:375 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:375 1220 KLMD_ReadMem: Trying to ReadMemory 0xBA7127C6[0x400]
10:55:02:375 1220 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:55:02:375 1220 TDL3_FileDetect: Processing driver: atapi
10:55:02:375 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:55:02:375 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:55:02:390 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
10:55:02:390 1220
10:55:02:390 1220 DetectCureTDL3: DEVICE_OBJECT: 8A620AB8
10:55:02:390 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A620AB8
10:55:02:390 1220 DetectCureTDL3: DEVICE_OBJECT: 8A623D98
10:55:02:390 1220 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A623D98
10:55:02:390 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A623D98[0x38]
10:55:02:390 1220 DetectCureTDL3: DRIVER_OBJECT: 8A6A4900
10:55:02:390 1220 KLMD_ReadMem: Trying to ReadMemory 0x8A6A4900[0xA8]
10:55:02:390 1220 KLMD_ReadMem: Trying to ReadMemory 0xE101EFE0[0x1A]
10:55:02:390 1220 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:55:02:390 1220 DetectCureTDL3: IrpHandler (0) addr: BA715572
10:55:02:390 1220 DetectCureTDL3: IrpHandler (1) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (2) addr: BA715572
10:55:02:390 1220 DetectCureTDL3: IrpHandler (3) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (4) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (5) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (6) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (7) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (8) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (9) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (10) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (11) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (12) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (13) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (14) addr: BA715592
10:55:02:390 1220 DetectCureTDL3: IrpHandler (15) addr: BA7117B4
10:55:02:390 1220 DetectCureTDL3: IrpHandler (16) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (17) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (18) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (19) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (20) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (21) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (22) addr: BA7155BC
10:55:02:390 1220 DetectCureTDL3: IrpHandler (23) addr: BA71C164
10:55:02:390 1220 DetectCureTDL3: IrpHandler (24) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (25) addr: 804F4544
10:55:02:390 1220 DetectCureTDL3: IrpHandler (26) addr: 804F4544
10:55:02:390 1220 KLMD_ReadMem: Trying to ReadMemory 0xBA7127C6[0x400]
10:55:02:390 1220 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:55:02:390 1220 TDL3_FileDetect: Processing driver: atapi
10:55:02:390 1220 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:55:02:390 1220 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:55:02:390 1220 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
10:55:02:390 1220 UtilityBootReinit: Reboot required for cure complete..
10:55:02:390 1220 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
10:55:02:390 1220 UtilityBootReinit: KLMD drop success
10:55:02:390 1220 KLMD_ApplyPendList: Pending buffer(61CE_54C9, 1152) dropped successfully
10:55:02:390 1220 UtilityBootReinit: Cure on reboot scheduled successfully
10:55:02:390 1220
10:55:02:390 1220 Completed
10:55:02:390 1220
10:55:02:390 1220 Results:
10:55:02:390 1220 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
10:55:02:390 1220 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
10:55:02:390 1220 File objects infected / cured / cured on reboot: 7 / 0 / 7
10:55:02:390 1220
10:55:02:390 1220 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:55:02:390 1220 UtilityDeinit: KLMD(ARK) unloaded successfully
TDSS report:
11:00:13:578 0188 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
11:00:13:578 0188 ================================================================================
11:00:13:578 0188 SystemInfo:
11:00:13:578 0188 OS Version: 5.1.2600 ServicePack: 2.0
11:00:13:578 0188 Product type: Workstation
11:00:13:578 0188 ComputerName: CHRIS-PC
11:00:13:578 0188 UserName: Chris
11:00:13:578 0188 Windows directory: C:\WINDOWS
11:00:13:578 0188 Processor architecture: Intel x86
11:00:13:578 0188 Number of processors: 4
11:00:13:578 0188 Page size: 0x1000
11:00:13:578 0188 Boot type: Normal boot
11:00:13:578 0188 ================================================================================
11:00:13:578 0188 UnloadDriverW: NtUnloadDriver error 2
11:00:13:578 0188 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:00:13:578 0188 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
11:00:13:578 0188 UtilityInit: KLMD drop and load success
11:00:13:578 0188 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
11:00:13:578 0188 UtilityInit: KLMD open success
11:00:13:578 0188 UtilityInit: Initialize success
11:00:13:578 0188
11:00:13:578 0188 Scanning Services ...
11:00:13:578 0188 CreateRegParser: Registry parser init started
11:00:13:578 0188 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
11:00:13:578 0188 CreateRegParser: DisableWow64Redirection error
11:00:13:578 0188 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:00:13:578 0188 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
11:00:13:578 0188 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:00:13:578 0188 wfopen_ex: Trying to KLMD file open
11:00:13:578 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
11:00:13:578 0188 wfopen_ex: File opened ok (Flags 2)
11:00:13:578 0188 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: D949E0
11:00:13:578 0188 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:00:13:578 0188 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
11:00:13:578 0188 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:00:13:578 0188 wfopen_ex: Trying to KLMD file open
11:00:13:578 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
11:00:13:578 0188 wfopen_ex: File opened ok (Flags 2)
11:00:13:578 0188 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: D94A88
11:00:13:578 0188 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
11:00:13:578 0188 CreateRegParser: EnableWow64Redirection error
11:00:13:578 0188 CreateRegParser: RegParser init completed
11:00:14:093 0188 GetAdvancedServicesInfo: Raw services enum returned 328 services
11:00:14:093 0188 ScanTDL2Services: Exact detect H8SRTd.sys (h: 1)
11:00:14:093 0188 RegNode HKLM\SYSTEM\ControlSet001\services\H8SRTd.sys infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: SafeBoot Minimal doesn't infected
11:00:14:093 0188 DeleteTDL2Service: SafeBoot Network doesn't infected
11:00:14:093 0188 RegNode HKLM\SYSTEM\ControlSet002\services\H8SRTd.sys infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: SafeBoot Minimal doesn't infected
11:00:14:093 0188 DeleteTDL2Service: SafeBoot Network doesn't infected
11:00:14:093 0188 File C:\WINDOWS\system32\drivers\H8SRTxeiqhtarsc.sys infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: H8SRTd. Type: 1
11:00:14:093 0188 DeleteTDL2Service: Module clone ImagePath, skipping
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: H8SRTc. Type: 1
11:00:14:093 0188 File C:\WINDOWS\system32\H8SRTmeyqoewbak.dll infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: H8SRTsrcr. Type: 1
11:00:14:093 0188 File C:\WINDOWS\system32\H8SRTdmxaxmlsiq.dat infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: h8srtserf. Type: 1
11:00:14:093 0188 File C:\WINDOWS\system32\H8SRTfqsnkrloba.dll infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: h8srtmsg. Type: 1
11:00:14:093 0188 File C:\WINDOWS\system32\H8SRTipkipflqdu.dll infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: h8srtbbr. Type: 1
11:00:14:093 0188 File C:\WINDOWS\system32\H8SRTcsmutcwbta.dll infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 DeleteTDL2Service: Module enum: Name: H8SRTerrors. Type: 1
11:00:14:093 0188 File C:\WINDOWS\system32\H8SRTqfalkmrmdi.log infected by TDSS rootkit ... 11:00:14:093 0188 will be deleted on reboot
11:00:14:093 0188 ScanTDL2Services: DeleteEvilService(H8SRTd.sys) success
11:00:14:093 0188 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:00:14:093 0188 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:00:14:093 0188
11:00:14:093 0188 Scanning Kernel memory ...
11:00:14:093 0188 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
11:00:14:093 0188 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A65DA08
11:00:14:093 0188 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects
11:00:14:093 0188
11:00:14:093 0188 DetectCureTDL3: DEVICE_OBJECT: 8A3D5030
11:00:14:093 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A3D5030
11:00:14:093 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A3D5030[0x38]
11:00:14:093 0188 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
11:00:14:093 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
11:00:14:093 0188 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
11:00:14:093 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
11:00:14:093 0188 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
11:00:14:093 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
11:00:14:093 0188 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
11:00:14:093 0188 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
11:00:14:093 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
11:00:14:093 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
11:00:14:093 0188 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
11:00:14:093 0188 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
11:00:14:093 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
11:00:14:093 0188 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
11:00:14:093 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:093 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:093 0188 TDL3_FileDetect: Processing driver: Disk
11:00:14:093 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:093 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:109 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:00:14:109 0188
11:00:14:109 0188 DetectCureTDL3: DEVICE_OBJECT: 8A318030
11:00:14:109 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A318030
11:00:14:109 0188 DetectCureTDL3: DEVICE_OBJECT: 8A347EA0
11:00:14:109 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A347EA0
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A347EA0[0x38]
11:00:14:109 0188 DetectCureTDL3: DRIVER_OBJECT: 8A347DA0
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A347DA0[0xA8]
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0xE1A05220[0x1E]
11:00:14:109 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
11:00:14:109 0188 DetectCureTDL3: IrpHandler (0) addr: BAC6D218
11:00:14:109 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (2) addr: BAC6D218
11:00:14:109 0188 DetectCureTDL3: IrpHandler (3) addr: BAC6D23C
11:00:14:109 0188 DetectCureTDL3: IrpHandler (4) addr: BAC6D23C
11:00:14:109 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (9) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (14) addr: BAC6D180
11:00:14:109 0188 DetectCureTDL3: IrpHandler (15) addr: BAC689E6
11:00:14:109 0188 DetectCureTDL3: IrpHandler (16) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (22) addr: BAC6C5F0
11:00:14:109 0188 DetectCureTDL3: IrpHandler (23) addr: BAC6AA6E
11:00:14:109 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0xBAC69F26[0x400]
11:00:14:109 0188 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
11:00:14:109 0188 TDL3_FileDetect: Processing driver: usbstor
11:00:14:109 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:00:14:109 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:00:14:109 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
11:00:14:109 0188
11:00:14:109 0188 DetectCureTDL3: DEVICE_OBJECT: 8A61CC68
11:00:14:109 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A61CC68
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A61CC68[0x38]
11:00:14:109 0188 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
11:00:14:109 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
11:00:14:109 0188 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
11:00:14:109 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
11:00:14:109 0188 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
11:00:14:109 0188 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
11:00:14:109 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
11:00:14:109 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
11:00:14:109 0188 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
11:00:14:109 0188 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
11:00:14:109 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
11:00:14:109 0188 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
11:00:14:109 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:109 0188 TDL3_FileDetect: Processing driver: Disk
11:00:14:109 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:109 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:109 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:00:14:109 0188
11:00:14:109 0188 DetectCureTDL3: DEVICE_OBJECT: 8A61C030
11:00:14:109 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A61C030
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A61C030[0x38]
11:00:14:109 0188 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
11:00:14:109 0188 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
11:00:14:109 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
11:00:14:109 0188 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
11:00:14:109 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
11:00:14:109 0188 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
11:00:14:109 0188 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
11:00:14:109 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
11:00:14:109 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
11:00:14:109 0188 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
11:00:14:109 0188 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
11:00:14:109 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:109 0188 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
11:00:14:125 0188 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
11:00:14:125 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:125 0188 TDL3_FileDetect: Processing driver: Disk
11:00:14:125 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:125 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:125 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:00:14:125 0188
11:00:14:125 0188 DetectCureTDL3: DEVICE_OBJECT: 8A689C68
11:00:14:125 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A689C68
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A689C68[0x38]
11:00:14:125 0188 DetectCureTDL3: DRIVER_OBJECT: 8A65DA08
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A65DA08[0xA8]
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0xE152DAB0[0x18]
11:00:14:125 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
11:00:14:125 0188 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
11:00:14:125 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
11:00:14:125 0188 DetectCureTDL3: IrpHandler (3) addr: BA908D1B
11:00:14:125 0188 DetectCureTDL3: IrpHandler (4) addr: BA908D1B
11:00:14:125 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (9) addr: BA9092DA
11:00:14:125 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (14) addr: BA9093B1
11:00:14:125 0188 DetectCureTDL3: IrpHandler (15) addr: BA90CF10
11:00:14:125 0188 DetectCureTDL3: IrpHandler (16) addr: BA9092DA
11:00:14:125 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (22) addr: BA90AC74
11:00:14:125 0188 DetectCureTDL3: IrpHandler (23) addr: BA90F99A
11:00:14:125 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:125 0188 TDL3_FileDetect: Processing driver: Disk
11:00:14:125 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:125 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
11:00:14:125 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:00:14:125 0188
11:00:14:125 0188 DetectCureTDL3: DEVICE_OBJECT: 8A68AAB8
11:00:14:125 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A68AAB8
11:00:14:125 0188 DetectCureTDL3: DEVICE_OBJECT: 8A6DE030
11:00:14:125 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6DE030
11:00:14:125 0188 DetectCureTDL3: DEVICE_OBJECT: 8A68B940
11:00:14:125 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A68B940
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A68B940[0x38]
11:00:14:125 0188 DetectCureTDL3: DRIVER_OBJECT: 8A6A4900
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A6A4900[0xA8]
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0xE101EFE0[0x1A]
11:00:14:125 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
11:00:14:125 0188 DetectCureTDL3: IrpHandler (0) addr: BA715572
11:00:14:125 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (2) addr: BA715572
11:00:14:125 0188 DetectCureTDL3: IrpHandler (3) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (4) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (9) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (14) addr: BA715592
11:00:14:125 0188 DetectCureTDL3: IrpHandler (15) addr: BA7117B4
11:00:14:125 0188 DetectCureTDL3: IrpHandler (16) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (22) addr: BA7155BC
11:00:14:125 0188 DetectCureTDL3: IrpHandler (23) addr: BA71C164
11:00:14:125 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0xBA7127C6[0x400]
11:00:14:125 0188 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
11:00:14:125 0188 TDL3_FileDetect: Processing driver: atapi
11:00:14:125 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
11:00:14:125 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
11:00:14:125 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
11:00:14:125 0188
11:00:14:125 0188 DetectCureTDL3: DEVICE_OBJECT: 8A620AB8
11:00:14:125 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A620AB8
11:00:14:125 0188 DetectCureTDL3: DEVICE_OBJECT: 8A623D98
11:00:14:125 0188 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A623D98
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A623D98[0x38]
11:00:14:125 0188 DetectCureTDL3: DRIVER_OBJECT: 8A6A4900
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0x8A6A4900[0xA8]
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0xE101EFE0[0x1A]
11:00:14:125 0188 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
11:00:14:125 0188 DetectCureTDL3: IrpHandler (0) addr: BA715572
11:00:14:125 0188 DetectCureTDL3: IrpHandler (1) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (2) addr: BA715572
11:00:14:125 0188 DetectCureTDL3: IrpHandler (3) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (4) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (5) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (6) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (7) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (8) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (9) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (10) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (11) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (12) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (13) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (14) addr: BA715592
11:00:14:125 0188 DetectCureTDL3: IrpHandler (15) addr: BA7117B4
11:00:14:125 0188 DetectCureTDL3: IrpHandler (16) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (17) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (18) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (19) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (20) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (21) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (22) addr: BA7155BC
11:00:14:125 0188 DetectCureTDL3: IrpHandler (23) addr: BA71C164
11:00:14:125 0188 DetectCureTDL3: IrpHandler (24) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (25) addr: 804F4544
11:00:14:125 0188 DetectCureTDL3: IrpHandler (26) addr: 804F4544
11:00:14:125 0188 KLMD_ReadMem: Trying to ReadMemory 0xBA7127C6[0x400]
11:00:14:125 0188 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
11:00:14:125 0188 TDL3_FileDetect: Processing driver: atapi
11:00:14:125 0188 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
11:00:14:125 0188 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
11:00:14:125 0188 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
11:00:14:125 0188 UtilityBootReinit: Reboot required for cure complete..
11:00:14:125 0188 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
11:00:14:125 0188 UtilityBootReinit: KLMD drop success
11:00:14:140 0188 KLMD_ApplyPendList: Pending buffer(4FCF_5D55, 1152) dropped successfully
11:00:14:140 0188 UtilityBootReinit: Cure on reboot scheduled successfully
11:00:14:140 0188
11:00:14:140 0188 Completed
11:00:14:140 0188
11:00:14:140 0188 Results:
11:00:14:140 0188 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
11:00:14:140 0188 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
11:00:14:140 0188 File objects infected / cured / cured on reboot: 7 / 0 / 7
11:00:14:140 0188
11:00:14:140 0188 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
11:00:14:140 0188 UtilityDeinit: KLMD(ARK) unloaded successfully
Hi Appro
Please try combofix again
Thanks peku006
combofix.txt:
ComboFix 10-01-22.03 - Chris 01/23/2010 22:51:09.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2479 [GMT 10:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\h8srtmainqt.dll
c:\program files\Malware Defense
c:\program files\Malware Defense\md.db
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\fabapufu.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTobwulkdwfd.log
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\kuwibipa.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\lutayesi.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\slibas.dll
c:\windows\system32\slibytr.dll
c:\windows\system32\sslibdd.dll
c:\windows\system32\sslibhe.dll
c:\windows\system32\sslibjtd.dll
c:\windows\system32\sslibrh.dll
c:\windows\system32\sslibsu.dll
c:\windows\system32\ssprs.dll
c:\windows\unins000.dat
c:\windows\unins000.exe
.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.
2010-01-22 08:35 . 2010-01-22 08:35 -------- d-----w- c:\documents and settings\Chris\Application Data\Lexicon PCM Native
2010-01-22 08:35 . 2010-01-22 08:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A97DA822-7B29-4F18-A64A-BF94FFFE77FB}
2010-01-20 13:54 . 2010-01-20 13:54 -------- d-----w- C:\rsit
2010-01-19 13:25 . 2010-01-19 13:25 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2010-01-19 02:27 . 2010-01-07 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 02:27 . 2010-01-19 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-19 02:27 . 2010-01-07 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 12:18 . 2010-01-19 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 08:28 . 2010-01-14 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Western_Digital
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\documents and settings\Chris\Application Data\Western Digital
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-01-14 08:10 . 2009-02-13 02:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\program files\Western Digital
2010-01-14 08:04 . 2010-01-14 08:04 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Western Digital
2010-01-13 01:36 . 2010-01-13 01:36 -------- d-----w- c:\windows\system32\KB905474
2010-01-13 01:36 . 2009-03-10 12:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-01-13 01:36 . 2009-03-10 12:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-01-13 01:34 . 2010-01-13 01:34 -------- d-----w- c:\windows\ServicePackFiles
2010-01-13 01:32 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-01-13 01:32 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-13 01:29 . 2010-01-13 01:29 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-01-13 01:24 . 2010-01-13 01:36 -------- d--h--w- c:\windows\$hf_mig$
2010-01-12 14:29 . 2010-01-12 14:29 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2010-01-12 14:25 . 2010-01-12 14:56 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-12 13:31 . 2009-10-29 07:45 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-12 13:31 . 2009-10-29 07:45 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-12 13:31 . 2009-10-29 07:45 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-12 13:31 . 2009-10-29 07:45 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-01-12 13:31 . 2009-10-29 07:45 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-12 13:31 . 2009-10-28 14:05 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-12 13:31 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-12 13:31 . 2009-10-29 07:45 6070784 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-12 13:29 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-12 13:29 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-12 13:29 . 2010-01-23 01:17 -------- d-----w- c:\program files\Trend Micro
2010-01-12 13:08 . 2009-06-09 14:53 53248 -c----w- c:\windows\system32\dllcache\tsgqec.dll
2010-01-12 13:08 . 2009-06-09 14:53 290816 -c----w- c:\windows\system32\dllcache\rhttpaa.dll
2010-01-12 13:08 . 2009-06-09 14:53 136192 -c----w- c:\windows\system32\dllcache\aaclient.dll
2010-01-12 13:07 . 2010-01-12 13:34 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-12 13:03 . 2008-10-24 11:25 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-12 13:02 . 2009-08-04 12:49 2142720 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 13:02 . 2009-08-04 12:51 2185984 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 13:02 . 2009-08-04 12:02 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 13:02 . 2009-08-04 12:02 2062976 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-12 12:53 . 2009-08-06 09:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-12 11:56 . 2010-01-12 11:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-12 11:49 . 2010-01-12 11:48 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-12 11:25 . 2010-01-12 11:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-01-12 11:24 . 2010-01-12 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-12 11:24 . 2010-01-12 11:24 -------- d-----w- c:\program files\Lavasoft
2010-01-08 06:57 . 2010-01-08 06:57 -------- d-----w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 01:17 . 2009-02-16 16:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-22 08:03 . 2009-02-16 17:14 -------- d-----w- c:\program files\FlashGet
2010-01-22 02:10 . 2009-04-10 06:56 -------- d-----w- c:\program files\Pro-53
2010-01-22 01:36 . 2010-01-22 01:36 749 ----a-w- c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-22 01:36 . 2010-01-22 01:36 749 ----a-w- c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-13 01:36 . 2009-10-12 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 11:49 . 2010-01-12 11:49 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-12 11:49 . 2010-01-12 11:49 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-12 11:49 . 2010-01-12 11:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-12 11:49 . 2010-01-12 11:49 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-12 11:49 . 2010-01-12 11:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-12 11:49 . 2010-01-12 11:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-12 11:49 . 2010-01-12 11:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-12 11:49 . 2010-01-12 11:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-12 11:48 . 2010-01-12 11:48 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-12 11:48 . 2010-01-12 11:48 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-12 11:48 . 2010-01-12 11:48 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-12 11:48 . 2010-01-12 11:48 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-12 11:48 . 2010-01-12 11:48 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-12 11:48 . 2010-01-12 11:48 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2010-01-12 11:48 . 2010-01-12 11:48 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2010-01-12 11:48 . 2010-01-12 11:48 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-12 11:48 . 2010-01-12 11:48 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-12 11:47 . 2010-01-12 11:47 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-12 11:47 . 2010-01-12 11:47 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-12 11:47 . 2010-01-12 11:47 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-12 11:46 . 2010-01-12 11:46 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-12 11:46 . 2010-01-12 11:46 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-12 11:46 . 2010-01-12 11:46 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-12 07:59 . 2009-04-17 01:40 -------- d-----w- c:\documents and settings\Chris\Application Data\FabFilter
2010-01-12 07:52 . 2009-12-06 13:21 -------- d-----w- c:\program files\Common Files\VST3
2010-01-12 07:52 . 2009-04-17 01:39 -------- d-----w- c:\program files\FabFilter
2010-01-11 15:24 . 2009-02-20 23:00 -------- d-----w- c:\documents and settings\Chris\Application Data\LimeWire
2010-01-06 16:25 . 2010-01-22 08:35 3068984 -c--a-w- c:\documents and settings\All Users\Application Data\{A97DA822-7B29-4F18-A64A-BF94FFFE77FB}\Setup_PCM_Native_VST.exe
2010-01-04 14:48 . 2009-03-15 10:40 48 ----a-w- c:\windows\msocreg32.dat
2009-12-28 15:35 . 2009-02-16 17:04 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2009-12-23 14:08 . 2009-12-23 14:08 -------- d-----w- c:\program files\Rockstar Games
2009-12-16 16:33 . 2009-12-16 16:33 -------- d-----w- c:\program files\Solid State Logic
2009-12-07 12:31 . 2009-12-07 12:31 -------- d-----w- c:\program files\Freequency 2.0
2009-12-07 09:38 . 2009-03-01 05:32 -------- d-----w- c:\program files\PSPaudioware
2009-12-07 09:33 . 2009-12-07 09:33 -------- d-----w- c:\program files\Sonalksis
2009-11-27 11:30 . 2009-11-27 11:30 -------- d-----w- c:\program files\Amazon
2009-11-25 15:51 . 2009-11-25 15:51 -------- d-----w- c:\program files\Sonnox
2009-11-09 03:08 . 2009-11-09 03:08 0 ---ha-w- c:\documents and settings\Chris\Application Data\.D80ED304859F7D89.sys
2009-11-09 03:08 . 2009-11-09 03:08 0 ---ha-w- c:\documents and settings\Chris\Application Data\.D80ED304859F7D89.sys
2009-11-09 03:07 . 2009-11-09 03:07 10134 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{36F0FA39-2875-4EFD-977C-C405A5E4A403}\ARPPRODUCTICON.exe
2009-11-07 09:05 . 2009-11-07 09:05 56896 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-07 08:09 . 2009-11-07 08:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2007-04-15 21:23 841216 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2007-04-15 21:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2007-04-15 21:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-05-18 04:10 . 2009-05-18 04:10 6537 --sh--w- c:\windows\system32\buyenayo.dll
2009-05-18 04:10 . 2009-05-18 04:10 6537 --sh--w- c:\windows\system32\fosepoyo.dll
2009-05-19 13:29 . 2009-05-19 13:29 6537 --sh--w- c:\windows\system32\giwawawo.dll
2009-05-16 23:51 . 2009-05-16 23:51 6537 --sh--w- c:\windows\system32\gopikobi.dll
2009-05-20 06:49 . 2009-05-20 06:49 6537 --sh--w- c:\windows\system32\gulidowu.dll
2009-05-19 13:29 . 2009-05-19 13:29 6537 --sh--w- c:\windows\system32\hodajupi.dll
2009-05-20 06:49 . 2009-05-20 06:49 6537 --sh--w- c:\windows\system32\huvajolu.dll
2009-05-17 13:54 . 2009-05-17 13:54 6537 --sh--w- c:\windows\system32\jawepuwa.dll
2009-05-19 13:29 . 2009-05-19 13:29 6537 --sh--w- c:\windows\system32\mapatawa.dll
2009-05-17 13:54 . 2009-05-17 13:54 6537 --sh--w- c:\windows\system32\perowimi.dll
2009-05-17 13:54 . 2009-05-17 13:54 6537 --sh--w- c:\windows\system32\varadosa.dll
2009-05-18 04:10 . 2009-05-18 04:10 6537 --sh--w- c:\windows\system32\vegozadi.dll
2009-05-16 23:51 . 2009-05-16 23:51 6537 --sh--w- c:\windows\system32\zomutaho.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"nwiz"="nwiz.exe" [2008-06-25 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-10 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-12 520024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-09-16 21:05 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=rddv1027.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
2007-09-25 08:10 2007088 ----a-w- c:\program files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 10:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phase28Panel]
2007-03-21 06:23 266240 ----a-w- c:\program files\TerraTec\PHASE 22 & 28 ControlPanel\ProtecMixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 06:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"Flashget"="c:\program files\FlashGet\FlashGet.exe" /min
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/12/2010 9:49 PM 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 10:11 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/20/2008 10:08 AM 472320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/10/2009 5:06 AM 1028432]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 2:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2/18/2009 12:39 AM 33792]
R3 Protec;PHASE WDM Audio;c:\windows\system32\drivers\Protec.sys [10/13/2005 10:33 AM 69664]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/14/2010 6:10 PM 11520]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/23/2001 10:00 PM 3584]
S3 lm1394;Liquid Mix Service;c:\windows\system32\drivers\lm1394.sys [3/4/2009 12:14 PM 30208]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-13 12:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\1clh0ks1.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - ORPHANS REMOVED - - - -
BHO-{7ab906e7-c404-4328-9531-0d36ae8196d1} - c:\windows\system32\mohoyodi.dll
HKCU-Run-Malware Defense - c:\program files\Malware Defense\mdefense.exe
AddRemove-Arturia Arp2600 V v1.0 - c:\progra~1\Arturia\ARP260~1\UNWISE.EXE
AddRemove-Arturia Minimoog V v1.0 - c:\progra~1\Arturia\MINIMO~1\UNWISE.EXE
AddRemove-Arturia Moog Modular V2 v1.0 - c:\progra~1\Arturia\MOOGMO~1\UNWISE.EXE
AddRemove-Camel Audio Alchemy - c:\program files\Steinberg\VstPlugins\Alchemy\Alchemy\AlchemyUninstall.exe
AddRemove-Cycling '74 MaxMSP v4.5.4 - c:\progra~1\CYCLIN~1\MAXMSP~1.5\UNWISE.EXE
AddRemove-Kjaerhus Audio Golden Audio Gate GAG-1 v1.02 VST - c:\progra~1\KJAERH~1\GAG-1\UNWISE.EXE
AddRemove-N.I Pro-53 v3.0-OxYGeN - c:\progra~1\Pro-53\UNWISE.EXE
AddRemove-Native Instruments FM7 v1.10.006 - c:\progra~1\NATIVE~1\FM7\UNWISE.EXE
AddRemove-Native Instruments Massive v1.0.1.008 VSTi DXi RTAS - c:\progra~1\NATIVE~1\Massive\UNWISE.EXE
AddRemove-Sonalksis Plug-Ins for Windows_is1 - c:\windows\unins000.exe
AddRemove-Steinberg Nuendo v3.2.0.1128 - c:\progra~1\STEINB~1\NUENDO~1\UNWISE.EXE
AddRemove-Waves Diamond Bundle v5.0 - c:\progra~1\Waves\UNINST~1\UNWISE.EXE
AddRemove-Waves Diamond Bundle v5.2 - c:\progra~1\Waves\DIAMON~1\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 22:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\Chris\LOCALS~1\Temp\CSCB.tmp 652 bytes
c:\docume~1\Chris\LOCALS~1\Temp\kbkkpbac.0.cs 15977 bytes
c:\docume~1\Chris\LOCALS~1\Temp\kbkkpbac.cmdline 463 bytes
c:\docume~1\Chris\LOCALS~1\Temp\kbkkpbac.dll 0 bytes
c:\docume~1\Chris\LOCALS~1\Temp\kbkkpbac.err 0 bytes
c:\docume~1\Chris\LOCALS~1\Temp\kbkkpbac.out 585 bytes
c:\docume~1\Chris\LOCALS~1\Temp\kbkkpbac.tmp 0 bytes
c:\docume~1\Chris\LOCALS~1\Temp\RESC.tmp 0 bytes
scan completed successfully
hidden files: 8
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\rddv1027.dll
- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-23 23:04:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 13:04
Pre-Run: 314,557,612,032 bytes free
Post-Run: 317,713,788,928 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 4590A442FC47A2DF173D796283CE7A1D
Hi Appro
1 - Run CFScript
Open Notepad and copy/paste the text in the box into the window:
File::
c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
c:\windows\system32\buyenayo.dll
c:\windows\system32\fosepoyo.dll
c:\windows\system32\giwawawo.dll
c:\windows\system32\gopikobi.dll
c:\windows\system32\gulidowu.dll
c:\windows\system32\hodajupi.dll
c:\windows\system32\huvajolu.dll
c:\windows\system32\jawepuwa.dll
c:\windows\system32\mapatawa.dll
c:\windows\system32\perowimi.dll
c:\windows\system32\varadosa.dll
c:\windows\system32\vegozadi.dll
c:\windows\system32\zomutaho.dll
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
Thanks peku006
.
combofix log:
ComboFix 10-01-22.03 - Chris 01/24/2010 2:49.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2541 [GMT 10:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFscript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FILE ::
"c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll"
"c:\windows\system32\buyenayo.dll"
"c:\windows\system32\fosepoyo.dll"
"c:\windows\system32\giwawawo.dll"
"c:\windows\system32\gopikobi.dll"
"c:\windows\system32\gulidowu.dll"
"c:\windows\system32\hodajupi.dll"
"c:\windows\system32\huvajolu.dll"
"c:\windows\system32\jawepuwa.dll"
"c:\windows\system32\mapatawa.dll"
"c:\windows\system32\perowimi.dll"
"c:\windows\system32\varadosa.dll"
"c:\windows\system32\vegozadi.dll"
"c:\windows\system32\zomutaho.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
c:\windows\system32\buyenayo.dll
c:\windows\system32\fosepoyo.dll
c:\windows\system32\giwawawo.dll
c:\windows\system32\gopikobi.dll
c:\windows\system32\gulidowu.dll
c:\windows\system32\hodajupi.dll
c:\windows\system32\huvajolu.dll
c:\windows\system32\jawepuwa.dll
c:\windows\system32\mapatawa.dll
c:\windows\system32\perowimi.dll
c:\windows\system32\varadosa.dll
c:\windows\system32\vegozadi.dll
c:\windows\system32\zomutaho.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.
2010-01-22 08:35 . 2010-01-22 08:35 -------- d-----w- c:\documents and settings\Chris\Application Data\Lexicon PCM Native
2010-01-22 08:35 . 2010-01-22 08:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A97DA822-7B29-4F18-A64A-BF94FFFE77FB}
2010-01-22 08:35 . 2010-01-06 16:25 3068984 -c--a-w- c:\documents and settings\All Users\Application Data\{A97DA822-7B29-4F18-A64A-BF94FFFE77FB}\Setup_PCM_Native_VST.exe
2010-01-20 13:54 . 2010-01-20 13:54 -------- d-----w- C:\rsit
2010-01-19 13:25 . 2010-01-19 13:25 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2010-01-19 02:27 . 2010-01-07 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 02:27 . 2010-01-19 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-19 02:27 . 2010-01-07 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 12:18 . 2010-01-19 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 08:28 . 2010-01-14 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Western_Digital
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\documents and settings\Chris\Application Data\Western Digital
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-01-14 08:10 . 2009-02-13 02:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-01-14 08:10 . 2010-01-14 08:10 -------- d-----w- c:\program files\Western Digital
2010-01-14 08:04 . 2010-01-14 08:04 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Western Digital
2010-01-13 01:36 . 2010-01-13 01:36 -------- d-----w- c:\windows\system32\KB905474
2010-01-13 01:36 . 2009-03-10 12:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-01-13 01:36 . 2009-03-10 12:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-01-13 01:34 . 2010-01-13 01:34 -------- d-----w- c:\windows\ServicePackFiles
2010-01-13 01:32 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-01-13 01:32 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-13 01:29 . 2010-01-13 01:29 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-01-13 01:24 . 2010-01-13 01:36 -------- d--h--w- c:\windows\$hf_mig$
2010-01-12 14:29 . 2010-01-12 14:29 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2010-01-12 14:25 . 2010-01-12 14:56 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-12 13:31 . 2009-10-29 07:45 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-12 13:31 . 2009-10-29 07:45 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-12 13:31 . 2009-10-29 07:45 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-12 13:31 . 2009-10-29 07:45 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-01-12 13:31 . 2009-10-29 07:45 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-12 13:31 . 2009-10-28 14:05 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-12 13:31 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-12 13:31 . 2009-10-29 07:45 6070784 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-12 13:29 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-12 13:29 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-12 13:29 . 2010-01-23 01:17 -------- d-----w- c:\program files\Trend Micro
2010-01-12 13:08 . 2009-06-09 14:53 53248 -c----w- c:\windows\system32\dllcache\tsgqec.dll
2010-01-12 13:08 . 2009-06-09 14:53 290816 -c----w- c:\windows\system32\dllcache\rhttpaa.dll
2010-01-12 13:08 . 2009-06-09 14:53 136192 -c----w- c:\windows\system32\dllcache\aaclient.dll
2010-01-12 13:07 . 2010-01-12 13:34 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-12 13:03 . 2008-10-24 11:25 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-12 13:02 . 2009-08-04 12:49 2142720 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 13:02 . 2009-08-04 12:51 2185984 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 13:02 . 2009-08-04 12:02 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 13:02 . 2009-08-04 12:02 2062976 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-12 12:53 . 2009-08-06 09:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-12 11:56 . 2010-01-12 11:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-12 11:49 . 2010-01-12 11:48 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-12 11:49 . 2010-01-12 11:49 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-12 11:49 . 2010-01-12 11:49 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-12 11:49 . 2010-01-12 11:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-12 11:49 . 2010-01-12 11:49 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-12 11:49 . 2010-01-12 11:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-12 11:49 . 2010-01-12 11:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-12 11:49 . 2010-01-12 11:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-12 11:49 . 2010-01-12 11:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-12 11:48 . 2010-01-12 11:48 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-12 11:48 . 2010-01-12 11:48 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-12 11:48 . 2010-01-12 11:48 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-12 11:48 . 2010-01-12 11:48 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-12 11:48 . 2010-01-12 11:48 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-12 11:48 . 2010-01-12 11:48 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2010-01-12 11:48 . 2010-01-12 11:48 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2010-01-12 11:48 . 2010-01-12 11:48 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-12 11:48 . 2010-01-12 11:48 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-12 11:47 . 2010-01-12 11:47 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-12 11:47 . 2010-01-12 11:47 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-12 11:47 . 2010-01-12 11:47 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-12 11:46 . 2010-01-12 11:46 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-12 11:46 . 2010-01-12 11:46 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-12 11:46 . 2010-01-12 11:46 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-12 11:25 . 2010-01-12 11:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-01-12 11:25 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2010-01-12 11:24 . 2010-01-12 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-12 11:24 . 2010-01-12 11:24 -------- d-----w- c:\program files\Lavasoft
2010-01-08 06:57 . 2010-01-08 06:57 -------- d-----w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 01:17 . 2009-02-16 16:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-22 08:03 . 2009-02-16 17:14 -------- d-----w- c:\program files\FlashGet
2010-01-22 02:10 . 2009-04-10 06:56 -------- d-----w- c:\program files\Pro-53
2010-01-13 01:36 . 2009-10-12 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 07:59 . 2009-04-17 01:40 -------- d-----w- c:\documents and settings\Chris\Application Data\FabFilter
2010-01-12 07:52 . 2009-12-06 13:21 -------- d-----w- c:\program files\Common Files\VST3
2010-01-12 07:52 . 2009-04-17 01:39 -------- d-----w- c:\program files\FabFilter
2010-01-11 15:24 . 2009-02-20 23:00 -------- d-----w- c:\documents and settings\Chris\Application Data\LimeWire
2010-01-04 14:48 . 2009-03-15 10:40 48 ----a-w- c:\windows\msocreg32.dat
2009-12-28 15:35 . 2009-02-16 17:04 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2009-12-23 14:08 . 2009-12-23 14:08 -------- d-----w- c:\program files\Rockstar Games
2009-12-16 16:33 . 2009-12-16 16:33 -------- d-----w- c:\program files\Solid State Logic
2009-12-07 12:31 . 2009-12-07 12:31 -------- d-----w- c:\program files\Freequency 2.0
2009-12-07 09:38 . 2009-03-01 05:32 -------- d-----w- c:\program files\PSPaudioware
2009-12-07 09:33 . 2009-12-07 09:33 -------- d-----w- c:\program files\Sonalksis
2009-11-27 11:30 . 2009-11-27 11:30 -------- d-----w- c:\program files\Amazon
2009-11-25 15:51 . 2009-11-25 15:51 -------- d-----w- c:\program files\Sonnox
2009-11-09 03:08 . 2009-11-09 03:08 0 ---ha-w- c:\documents and settings\Chris\Application Data\.D80ED304859F7D89.sys
2009-11-09 03:08 . 2009-11-09 03:08 0 ---ha-w- c:\documents and settings\Chris\Application Data\.D80ED304859F7D89.sys
2009-11-09 03:07 . 2009-11-09 03:07 10134 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{36F0FA39-2875-4EFD-977C-C405A5E4A403}\ARPPRODUCTICON.exe
2009-11-07 09:05 . 2009-11-07 09:05 56896 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-07 08:09 . 2009-11-07 08:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2007-04-15 21:23 841216 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2007-04-15 21:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2007-04-15 21:24 17408 ----a-w- c:\windows\system32\corpol.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"nwiz"="nwiz.exe" [2008-06-25 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-10 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-12 520024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-09-16 21:05 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=rddv1027.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
2007-09-25 08:10 2007088 ----a-w- c:\program files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 10:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phase28Panel]
2007-03-21 06:23 266240 ----a-w- c:\program files\TerraTec\PHASE 22 & 28 ControlPanel\ProtecMixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 06:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"Flashget"="c:\program files\FlashGet\FlashGet.exe" /min
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/12/2010 9:49 PM 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 10:11 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/20/2008 10:08 AM 472320]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 2:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2/18/2009 12:39 AM 33792]
R3 Protec;PHASE WDM Audio;c:\windows\system32\drivers\Protec.sys [10/13/2005 10:33 AM 69664]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/14/2010 6:10 PM 11520]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/10/2009 5:06 AM 1028432]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/23/2001 10:00 PM 3584]
S3 lm1394;Liquid Mix Service;c:\windows\system32\drivers\lm1394.sys [3/4/2009 12:14 PM 30208]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-13 12:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\1clh0ks1.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 02:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\rddv1027.dll
.
Completion time: 2010-01-24 02:53:34
ComboFix-quarantined-files.txt 2010-01-23 16:53
Pre-Run: 317,747,728,384 bytes free
Post-Run: 317,736,767,488 bytes free
- - End Of File - - 06750E4FEE1CAD7CD32FFFC3BC4EA8F0
Hi Appro
I'd like you to check (a file/some files) for Viruses.
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
c:\windows\system32\DRIVERS\TMPassthru.sys
Copy/Paste file into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Copy and Paste results in your next reply.
Thanks peku006
I tried both jotti and virustotal but they both said
'c:\windows\system32\DRIVERS\TMPassthru.sys file not found'
Hi Appro
ok, the file does not exist
1 - Run Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
2 - Status Check
Please reply with
1. the Malwarebytes' Anti-Malware Log
Thanks peku006
mbam:
Malwarebytes' Anti-Malware 1.44
Database version: 3631
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11
1/25/2010 11:51:42 PM
mbam-log-2010-01-25 (23-51-42).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|H:\|I:\|)
Objects scanned: 795964
Time elapsed: 4 hour(s), 25 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\KORG\KORG Legacy\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035723.sys (Malware.Trace) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035782.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035785.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035787.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035788.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035790.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035791.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035793.EXE (Malware.Packer.Morphine) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035882.sys (Malware.Trace) -> Not selected for removal.
C:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0035998.sys (Malware.Trace) -> Not selected for removal.
D:\Downloads\Rob.Papen.LinPlug.Albino.VSTi.v3.0.2.incl.KeyGen-BEAT\Albino3Installer302.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\Projects\samp\Ueberschall.Minimal.House.VSTi.RTAS.AU.HYBRID.DVDR-DYNAMiCS\NGEN_KeyGen-Ueberschall_Liquid Instruments-Elastik.exe (Worm.Brontok) -> Quarantined and deleted successfully.
D:\Projects\Sony Acid Pro 5.0 + Key\kgsonyall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0036226.exe (Worm.Brontok) -> Quarantined and deleted successfully.
E:\Projects\Plug-ins\New\Rob.Papen.LinPlug.Albino.VSTi.v3.0.2.incl.KeyGen-BEAT\Albino3Installer302.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\Projects\Projects 2006-2008\samp\Ueberschall.Minimal.House.VSTi.RTAS.AU.HYBRID.DVDR-DYNAMiCS\NGEN_KeyGen-Ueberschall_Liquid Instruments-Elastik.exe (Worm.Brontok) -> Quarantined and deleted successfully.
E:\Projects\Projects 2006-2008\Sony Acid Pro 5.0 + Key\kgsonyall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{816A2130-6251-498B-8B5D-6555FA444A3D}\RP262\A0036227.exe (Worm.Brontok) -> Quarantined and deleted successfully.
Hi Appro
Download CKScanner by askey127 from HERE (http://downloads.malwareremoval.com/CKScanner.exe)
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
Thanks peku006
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\chris\start menu\programs\waves\documents\x-crackle help.lnk
c:\downloads\other software\winamp pro v5.541.2189+keygen[h33t]masteruploader\winamp pro v5.541.2189+keygen[h33t]masteruploader.rar
c:\downloads\pro audio plug-ins\camel audio camelspace vst v1.42 incl keygen-air\a-csp142.rar
c:\downloads\pro audio plug-ins\camel audio camelspace vst v1.42 incl keygen-air\a-csp142.zip
c:\downloads\pro audio plug-ins\camel audio camelspace vst v1.42 incl keygen-air\air.nfo
c:\downloads\pro audio plug-ins\d16.group.toraverb.vst.v1.0.1.incl.keygen.working-air\d16.group.toraverb.vst.v1.0.1.incl.keygen.working-air.rar
c:\downloads\pro audio plug-ins\gforce.the.oddity.vsti.rtas.v1.15.incl.keygen-air\gforce.the.oddity.vsti.rtas.v1.15.incl.keygen-air.rar
c:\downloads\pro audio plug-ins\ik.multimedia.amplitube.jimi.hendrix.v1.0.3.vst.rtas.incl.keygen-dynamics\ik.multimedia.amplitube.jimi.hendrix.v1.0.3.vst.rtas.incl.keygen-dynamics.rar
c:\downloads\pro audio plug-ins\ik.multimedia.amplitube.jimi.hendrix.v1.0.3.vst.rtas.incl.keygen-dynamics\keygen.rar
c:\downloads\pro audio plug-ins\ik.multimedia.amplitube.v2.1.4.vst.rtas.incl.keygen-dynamics\ik.multimedia.amplitube.v2.1.4.vst.rtas.incl.keygen-dynamics.rar
c:\downloads\pro audio plug-ins\novation.bass-station.vsti.v1.5.1.incl.keygen-air\a-nbs150.rar
c:\downloads\pro audio plug-ins\novation.bass-station.vsti.v1.5.1.incl.keygen-air\a-nbs151.zip
c:\downloads\pro audio plug-ins\novation.bass-station.vsti.v1.5.1.incl.keygen-air\air.nfo
c:\downloads\pro audio plug-ins\ohmforce.mobilohm.pro.vst.rtas.v1.21.incl.keygen-air\ohmforce.mobilohm.pro.vst.rtas.v1.21.incl.keygen-air.rar
c:\downloads\pro audio plug-ins\ohmforce.quadfrohmage.pro.vst.rtas.v1.31.incl.keygen-air\ohmforce.quadfrohmage.pro.vst.rtas.v1.31.incl.keygen-air.rar
c:\downloads\pro audio plug-ins\psp.audioware.oldtimer.v1.1.6.vst.rtas.incl.keygen-dynamics\psp.audioware.oldtimer.v1.1.6.vst.rtas.incl.keygen-dynamics.rar
c:\downloads\pro audio plug-ins\psp.audioware.vintage.warmer.vst.rtas.v2.1.4.incl.keygen-air\psp.audioware.vintage.warmer.vst.rtas.v2.1.4.incl.keygen-air.rar
c:\downloads\pro audio plug-ins\trilogy keygen\a-trlkg.rar
c:\downloads\pro audio plug-ins\trilogy keygen\arctic.nfo
c:\downloads\pro audio plug-ins\trilogy keygen\file_id.diz
c:\downloads\pro audio plug-ins\trilogy keygen\nia.nfo
c:\downloads\pro audio plug-ins\trilogy keygen\tnl.nfo
c:\downloads\pro audio plug-ins\voxengo.transgainer.vst.v1.0.x32.x64.incl.keygen-air\voxengo.transgainer.vst.v1.0.x32.x64.incl.keygen-air.rar
c:\program files\common files\native instruments\shared content\sounds\massive\crackle carl.ksd
c:\program files\flashget\torrent\camel audio camelspace vst v1.42 incl keygen-air.torrent.bits
c:\program files\flashget\torrent\camel audio camelspace vst v1.42 incl keygen-air.torrent.filelist
c:\program files\flashget\torrent\camel audio camelspace vst v1.42 incl keygen-air.torrent.seeds
c:\program files\flashget\torrent\d16 drumazon vsti v1.0.3 incl keygen-air.torrent.bits
c:\program files\flashget\torrent\d16 drumazon vsti v1.0.3 incl keygen-air.torrent.filelist
c:\program files\flashget\torrent\d16 drumazon vsti v1.0.3 incl keygen-air.torrent.seeds
c:\program files\flashget\torrent\d16.group.toraverb.vst.v1.0.1.incl.keygen.working-air.torrent.bits
c:\program files\flashget\torrent\d16.group.toraverb.vst.v1.0.1.incl.keygen.working-air.torrent.filelist
c:\program files\flashget\torrent\d16.group.toraverb.vst.v1.0.1.incl.keygen.working-air.torrent.seeds
c:\program files\flashget\torrent\d16.nepheton.vsti.v1.0.5.incl.keygen-air.torrent.bits
c:\program files\flashget\torrent\d16.nepheton.vsti.v1.0.5.incl.keygen-air.torrent.filelist
c:\program files\flashget\torrent\eiosis - e˛transiente vst including crack.torrent.bits
c:\program files\flashget\torrent\eiosis - e˛transiente vst including crack.torrent.filelist
c:\program files\flashget\torrent\gforce.the.oddity.vsti.rtas.v1.15.incl.keygen-air.torrent.bits
c:\program files\flashget\torrent\gforce.the.oddity.vsti.rtas.v1.15.incl.keygen-air.torrent.filelist
c:\program files\flashget\torrent\gforce.the.oddity.vsti.rtas.v1.15.incl.keygen-air.torrent.seeds
c:\program files\flashget\torrent\ik.multimedia.amplitube.jimi.hendrix.v1.0.3.vst.rtas.incl.keygen-dynamics.torrent.bits
c:\program files\flashget\torrent\ik.multimedia.amplitube.jimi.hendrix.v1.0.3.vst.rtas.incl.keygen-dynamics.torrent.filelist
c:\program files\flashget\torrent\ik.multimedia.amplitube.jimi.hendrix.v1.0.3.vst.rtas.incl.keygen-dynamics.torrent.seeds
c:\program files\flashget\torrent\ik.multimedia.amplitube.v2.1.4.vst.rtas.incl.keygen-dynamics.torrent.bits
c:\program files\flashget\torrent\ik.multimedia.amplitube.v2.1.4.vst.rtas.incl.keygen-dynamics.torrent.filelist
c:\program files\flashget\torrent\ik.multimedia.amplitube.v2.1.4.vst.rtas.incl.keygen-dynamics.torrent.seeds
c:\program files\flashget\torrent\ik.multimedia.sampletank.v2.5.2.vsti.dxi.rtas.incl.keygen-amplify.torrent.bits
c:\program files\flashget\torrent\ik.multimedia.sampletank.v2.5.2.vsti.dxi.rtas.incl.keygen-amplify.torrent.filelist
c:\program files\flashget\torrent\ik.multimedia.sampletank.v2.5.2.vsti.dxi.rtas.incl.keygen-amplify.torrent.seeds
c:\program files\flashget\torrent\ohmforce.mobilohm.pro.vst.rtas.v1.21.incl.keygen-air.torrent.bits
c:\program files\flashget\torrent\ohmforce.mobilohm.pro.vst.rtas.v1.21.incl.keygen-air.torrent.filelist
c:\program files\flashget\torrent\ohmforce.mobilohm.pro.vst.rtas.v1.21.incl.keygen-air.torrent.seeds
c:\program files\flashget\torrent\ohmforce.quadfrohmage.pro.vst.rtas.v1.31.incl.keygen-air.torrent.bits
c:\program files\flashget\torrent\ohmforce.quadfrohmage.pro.vst.rtas.v1.31.incl.keygen-air.torrent.filelist
c:\program files\flashget\torrent\ohmforce.quadfrohmage.pro.vst.rtas.v1.31.incl.keygen-air.torrent.seeds
c:\program files\flashget\torrent\psp.audioware.oldtimer.v1.1.6.vst.rtas.incl.keygen-dynamics.torrent.bits
c:\program files\flashget\torrent\psp.audioware.oldtimer.v1.1.6.vst.rtas.incl.keygen-dynamics.torrent.filelist
c:\program files\flashget\torrent\psp.audioware.oldtimer.v1.1.6.vst.rtas.incl.keygen-dynamics.torrent.seeds
c:\program files\flashget\torrent\psp.audioware.vintage.warmer.vst.rtas.v2.1.4.incl.keygen-air.torrent.bits
c:\program files\flashget\torrent\psp.audioware.vintage.warmer.vst.rtas.v2.1.4.incl.keygen-air.torrent.filelist
c:\program files\flashget\torrent\spectrasonics_trilogy_keygen_sharedby_bsurf.zip.torrent.bits
c:\program files\flashget\torrent\spectrasonics_trilogy_keygen_sharedby_bsurf.zip.torrent.filelist
c:\program files\flashget\torrent\voxengo.transgainer.vst.v1.0.x32.x64.incl.keygen-air.torrent.bits
c:\program files\flashget\torrent\voxengo.transgainer.vst.v1.0.x32.x64.incl.keygen-air.torrent.filelist
c:\program files\flashget\torrent\voxengo.transgainer.vst.v1.0.x32.x64.incl.keygen-air.torrent.seeds
c:\program files\steinberg\vstplugins\voxengo harmonieq vst\harmonieq factory presets\snare crack.fxp
c:\program files\waves\plug-ins\xcrackle.dll
c:\program files\waves\plug-ins\documents\xcrackle.pdf
c:\program files\waves\plug-ins\plug-in settings\x-crackle settings.xps
scanner sequence 3.ZZ.11
----- EOF -----
Hi Appro
what is the reason that you have a lot of "keygens" ?
Thanks peku006
Its cracks for audio plug-ins. :(
Hi Appro
Note:
We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms.
There is a high risk of infection involved in downloading and running crack codes, who wants Virut (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html), and the possibility of your computer being turned into a zombie machine (http://en.wikipedia.org/wiki/Zombie_computer). In other words the computer won't be "yours" any longer.
before we can continue please remove all "illegals" programs
Thanks peku006
Okay understood, sorry about that. All removed.
Hi Appro
1 - Clean temp files
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
2 - Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Eset online scannner report
2. a fresh HijackThis log
Thanks peku006
ESET:
ESETSmartInstaller@High as downloader log:
all ok
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:56 PM, on 2/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21183)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Phase28Panel] "C:\Program Files\TerraTec\PHASE 22 & 28 ControlPanel\Protecmixer.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
--
End of file - 8684 bytes
Hi Appro
all logs are ok........
How's the computer running now? Any problems?
Thanks peku006
No problems, it seems to be running well...
Hi Appro
Your log now appears to be clean. Congratulations! :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Delete RootRepeal ,TDSS Killer and CKScanner from your desktop.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Here are some things that I think are worth having a look at if you don't already know a bout them:.
Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy safe surfing! :bigthumb:
peku006
Thank you SO MUCH for your help Peku! I am truly amazed by your security skills and extremely grateful for all the time you spent helping me solve my problem.
You've saved me a great deal of work and important files which I could have lost had this problem not been fixed. I'm a music producer, have a listen to my work at http://soundcloud.com/rigez
Thanks, Regards
Hi Appro
great music but, I think that I'll be too :grandpa: for that kind of :band:
peku006
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)